
<h2>OpenVPN Server Setup</h2>

<p>(Tested on Centos 5.2)

<pre>
# yum install openvpn
# cd /etc/openvpn/
# cp -R /usr/share/doc/openvpn-2.0.9/easy-rsa/ /etc/openvpn/
# cd /etc/openvpn/easy-rsa/2.0/
# chmod +x ../vars ../vars
# chmod +rwx *
# ./clean-all
# source ./vars
# vi ./vars # <i>(At the bottom of the files change the values to match the site)</i>
# ./build-ca # <i>(this builds the CA certaficate)</i>
#  source ./vars
# ./clean-all
# ./build-ca
# ./build-key-server server # <i>(this builds the server.key file)</i>
</pre>

<pre>
# vi /etc/openvpn/openvpn.conf #  <i>(for slow lines UDP is faster and use the below as a starting point)</i>
port 1723 (1194 is the default but on some APN networks this is blocked)
proto tcp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
server 172.16.0.0 255.255.255.0
push "dhcp-option DNS 192.168.168.1"
push "dhcp-option DNS 168.210.2.2"
#push "dhcp-option WINS 192.168.1.2"
push "route 192.168.168.0 255.255.255.0"
ifconfig-pool-persist ipp.txt
keepalive 10 120
comp-lzo
user nobody
group users
persist-key
persist-tun
status openvpn-status.log
verb 3
client-to-client
duplicate-cn (this means several users can use the same key)
</pre>

<pre>
# cp keys/{ca.crt,ca.key,server.crt,server.key} /etc/openvpn/
# ./build-dh # <i>(builds the dh1024)</i>
# cp keys/dh1024.pem /etc/openvpn/
# /etc/init.d/openvpn start
# chkconfig --list | grep vpn # <i>(make sure it is set to start at boot)</i>
# ./build-key shisaka # <i>(Repeat and rinse if you want several individual keys)</i>
# cd keys/
# zip ttt.zip ca.crt ca.key shisaka.crt shisaka.csr shisaka.key
# yum install -y nail
# nail -s “Keys" -a ttt.zip camerons@pcb.co.za bandi@pcb.co.za
# /etc/init.d/openvpn restart
# netstat -ntpl | grep 1723
</pre>

<p>Set the iptables firewall rules to allow with these rules:

<pre>
# External Interface for VPN
# VPN Interface
VPNIF="tun0"
VPNNET="172.16.0.0/24"
VPNIP="172.16.0.1"
### OpenVPN
$IPTABLES -A INPUT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP --destination-port 1723 -j ACCEPT # OpenVPN
$IPTABLES -A INPUT -i $EXTIF -p tcp -s $UNIVERSE -d $EXTIP --destination-port 1723 -j ACCEPT # OpenVPN

# Allow TUN interface connections to OpenVPN server
$IPTABLES -A OUTPUT -o $INTIF -s $EXTIP -d $VPNNET -j ACCEPT
$IPTABLES -A OUTPUT -o $VPNIF -s $EXTIP -d $VPNNET -j ACCEPT
# OpenVPN
$IPTABLES -A FORWARD -i $EXTIF -o $VPNIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -o $INTIF -s $EXTIP -d $VPNNET -j ACCEPT
$IPTABLES -A FORWARD -o $VPNIF -s $EXTIP -d $VPNIP -j ACCEPT
$IPTABLES -A FORWARD -o $EXTIF -s $EXTIP -d $VPNNET -j ACCEPT
$IPTABLES -A FORWARD -o $VPNIF -s $INTNET -d $VPNNET -j ACCEPT
</pre>

<p>Follow the client side instructions from here...

<h2>Installing OpenVPN GUI on Windows XP</h2>

<p>Once the OpenVPN server has been setup and the client key(s) made available to you for installation, follow
these steps to roll the VPN out to the clients:

<p>Download the client software here http://www.openvpn.se/

<p>The tested version is 1.0.3

<p>Install the program

<p>Under C:\Program Files\OpenVPN\config place the following:
<pre>
ca.crt
ca.key
client.ovpn (you might need to edit this file later)
username.crt (eg. johnl.crt)
username.csr
username.key
<pre>

Edit the client.ovpn file and ensure that the following fields match up for the site / user:
<pre>
# The hostname/IP and port of the server.
# You can have multiple remote entries
# to load balance between the servers.
remote fw1.isasa.org 1723
;remote my-server-2 1194
# SSL/TLS parms.
# See the server config file for more
# description. It's best to use
# a separate .crt/.key file pair
# for each client. A single ca
# file can be used for all clients.
ca ca.crt
cert johnl.crt
key johnl.key
</pre>

<p>Start OpenVPN and the client machine should connect.

<p>This is done by right clicking the OpenVPN in the task tray and clicking 'connect' or after starting the program
via the start menu.

